Hunters International Shifts From Ransomware to Pure Data Extortion
Summary:
Hunters International is a ransomware group that emerged in late 2023 and is suspected to be a rebrand of the former Hive ransomware. Initially, the group focused heavily on data exfiltration rather than encryption, which set it apart from other ransomware groups. The actors leveraged a tool called "Storage Software" to collect and organize metadata from stolen files, sending the data to the group’s servers and offering a controlled platform for affiliates to manage their targets and disclosures. As Hunters International continued to evolve, its targets expanded across critical sectors, particularly healthcare. The group’s affiliate panel system allowed for a structured workflow, allowing threat actors to track victims, negotiate ransoms, and process payments. However, by November 2024, the operators of Hunters International announced they were shutting down due to increasing law enforcement pressure and the declining profitability associated with ransomware attacks. Despite this, the group rebranded as World Leaks in January 2025, shifting its focus to extortion-only tactics, removing encryption entirely from its operations. This rebrand involved the development of an automated tool designed for data exfiltration, which seems to be an upgraded variant of the Storage Software tool, marking a significant pivot from ransomware attacks to solely extorting victims through the threat of leaked data. Furthermore, researchers note that the latest variants of Hunters International’s ransomware strain has stopped renaming encrypted files or dropping ransom notes, a shift aligned with the group's strategy to minimize visibility and avoid detection, while continuing to pressure victims through direct, personalized extortion tactics like phone calls, emails, and social media.
Security Officer Comments:
This development aligns with a broader trend among ransomware groups, such as Cl0p, shifting from encryption-based attacks to extortion-focused tactics. With the rise in ransomware attacks over the past few years, organizations have increasingly strengthened their defenses and developed more effective recovery strategies, allowing them to restore encrypted files. As a result, traditional encryption-based ransom demands have become less effective, with fewer organizations yielding to these attacks. In response, groups like Hunters International are pivoting toward extortion tactics, where the primary focus is on exfiltrating sensitive data and holding it hostage for payment, bypassing the need for encryption altogether.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.bleepingcomputer.com/ne...ds-as-world-leaks-in-shift-to-data-extortion/
Hunters International is a ransomware group that emerged in late 2023 and is suspected to be a rebrand of the former Hive ransomware. Initially, the group focused heavily on data exfiltration rather than encryption, which set it apart from other ransomware groups. The actors leveraged a tool called "Storage Software" to collect and organize metadata from stolen files, sending the data to the group’s servers and offering a controlled platform for affiliates to manage their targets and disclosures. As Hunters International continued to evolve, its targets expanded across critical sectors, particularly healthcare. The group’s affiliate panel system allowed for a structured workflow, allowing threat actors to track victims, negotiate ransoms, and process payments. However, by November 2024, the operators of Hunters International announced they were shutting down due to increasing law enforcement pressure and the declining profitability associated with ransomware attacks. Despite this, the group rebranded as World Leaks in January 2025, shifting its focus to extortion-only tactics, removing encryption entirely from its operations. This rebrand involved the development of an automated tool designed for data exfiltration, which seems to be an upgraded variant of the Storage Software tool, marking a significant pivot from ransomware attacks to solely extorting victims through the threat of leaked data. Furthermore, researchers note that the latest variants of Hunters International’s ransomware strain has stopped renaming encrypted files or dropping ransom notes, a shift aligned with the group's strategy to minimize visibility and avoid detection, while continuing to pressure victims through direct, personalized extortion tactics like phone calls, emails, and social media.
Security Officer Comments:
This development aligns with a broader trend among ransomware groups, such as Cl0p, shifting from encryption-based attacks to extortion-focused tactics. With the rise in ransomware attacks over the past few years, organizations have increasingly strengthened their defenses and developed more effective recovery strategies, allowing them to restore encrypted files. As a result, traditional encryption-based ransom demands have become less effective, with fewer organizations yielding to these attacks. In response, groups like Hunters International are pivoting toward extortion tactics, where the primary focus is on exfiltrating sensitive data and holding it hostage for payment, bypassing the need for encryption altogether.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.bleepingcomputer.com/ne...ds-as-world-leaks-in-shift-to-data-extortion/